Skip to main content

Linux Kernel ext4 CVE-2026-31447

| EUVDEUVD-2026-24782 HIGH
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-mgcw-5h4f-3529
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 27, 2026 - 14:27 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.8 (HIGH)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 22, 2026 - 16:02 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24782
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ext4: reject mount if bigalloc with s_first_data_block != 0

bigalloc with s_first_data_block != 0 is not supported, reject mounting it.

AnalysisAI

Linux kernel ext4 filesystem allows mounting of maliciously crafted filesystems with bigalloc and non-zero s_first_data_block, potentially triggering memory corruption or information disclosure. Affects all Linux kernel versions from 2.6.12 (commit 1da177e) through 7.0, with patches released in stable branches 5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, and 6.19.11. CVSS 7.8 indicates high severity with local access and user interaction required. EPSS score of 0.02% (7th percentile) suggests low probability of widespread exploitation, and no active exploitation confirmed (not in CISA KEV).

Technical ContextAI

The ext4 filesystem's bigalloc feature allows multiple physical blocks to be grouped into allocation units called clusters, improving performance for large files. The superblock field s_first_data_block typically indicates the first block containing filesystem data (normally 0 for bigalloc). The vulnerability stems from inadequate mount-time validation that fails to reject the unsupported configuration of bigalloc filesystems where s_first_data_block != 0. This combination can cause the kernel's block allocation logic to miscalculate cluster boundaries, potentially leading to out-of-bounds memory access during filesystem operations. The fix adds explicit validation in the ext4 mount path to reject this invalid configuration before filesystem structures are initialized. All kernel versions since the initial git import (2.6.12-rc2, commit 1da177e) are affected, as bigalloc support was added later but mount validation was never hardened against this edge case.

RemediationAI

Update to patched kernel versions: 5.10.253+, 5.15.203+, 6.1.168+, 6.6.131+, 6.12.80+, 6.18.21+, 6.19.11+, or mainline 7.0+. Patches available from kernel.org stable trees via git commits referenced in NVD advisories (https://git.kernel.org/stable/c/3822743dc20386d9897e999dbb990befa3a5b3f8 and related commits for each stable branch). Distribution-specific updates should be applied via package managers once vendors release kernel security updates. For systems that cannot immediately patch, implement compensating controls: (1) Restrict filesystem mounting to trusted administrators only by removing mount privileges from unprivileged users via /etc/fstab and polkit policies - note this breaks legitimate user workflows requiring removable media access; (2) Disable auto-mounting of removable media in desktop environments and systemd-udevd rules - reduces USB attack surface but impacts usability; (3) If ext4 bigalloc feature is not required, reformat filesystems without bigalloc to eliminate the vulnerable code path - requires data migration downtime and loses performance benefits; (4) Deploy filesystem integrity monitoring to detect suspicious mount attempts via auditd rules tracking mount syscalls with ext4 type - generates alert noise but provides detection layer. Each mitigation trades functionality or performance for security.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31447 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy